Trusting Companies With Government Secrets
With thousands of companies competing for federal contracts related to security, how does the federal government determine whether or not it should trust a particular security supplier?
Generally, the government will require that any supplier whose work requires access to secure information obtain appropriate security clearances for individuals who will deal with that information. There are also rules that relate to facilities that store sensitive government data outside of government facilities during work on a contract.
But beyond vetting individuals for security clearances, the government appears to have no overall system for determining whether a company as a whole can be trusted with a contract involving work that impinges on national security. “I can’t imagine any process through which a government agency would clear an entire company,” says Marti Mercer, a spokesperson for the National Security Agency. “The contracting employees that would do the work for the government would be investigated and cleared, but not the company. Trust is placed in people.”
To get a closer look at how government secures its purchasing procedures, Government Security recently spoke with David A. Drabkin, deputy associate administrator for acquisition policy with the General Services Administration (GSA). The conversation also included Larry Allen, executive vice president of the Coalition for Government Procurement, an association representing more than 300 companies that sell to the government. Here’s what they had to say.
GS: How does the government make sure it can trust the security providers it contracts with?
Drabkin: Generally, it depends on what we’re buying. If it is commercial software, hardware and integration services, the level of security we require is usually the same that a company buying those products and services might require. As the nature of the requirements changes to demand more security, we will include new requirements in the documents.
GS: Suppose I represent a company that wants to sell a security system to the Department of Defense (DoD). While installing that system, my company would have access to sensitive or even classified information. How do you make sure you can trust us?
Allen: If you’re going to have access to secure information, the government will require your people to have security clearances. This is a huge issue for suppliers right now. More and more, government agencies are asking for companies that provide services of any type to provide personnel with security clearances. Appropriate clearances can take up to a year to get. And they cost a lot of money.
Drabkin: That’s right. A contract requiring a company to deal with classified information will indicate that any individual having access to that information must possess an appropriate security clearance.
GS: What do you mean by appropriate?
Drabkin: There are several levels. Confidential is the lowest security clearance classification. The next step up is a secret clearance. Then comes top secret. There are more strict compartmentalized categories above top secret.
GS: How much does a security clearance cost?
Drabkin: On average, it costs about $20,000 to clear someone that hasn’t already been cleared. The process takes about a year. But this is all part of the cost of doing business with the government.
GS: Who handles these clearances?
Drabkin: The Department of Homeland Security has people that do this. So does the DoD.
Allen: More and more, government agencies ask for companies that contract for services of any type to provide personnel with security clearances. Government contractors take this very seriously. You can see this in the hiring practices of suppliers. There is an increasing demand for people coming out of the military — people who already have security clearances. Although these clearances aren’t automatically transferable, they can expedite the process.
GS: When do security clearances come into play in the purchasing process?
Allen: In the labor descriptions. A government solicitation contains a section for contractors to list their labor capabilities and rates. When completing this section, the contractor, for example, might note that a Security Specialist 4 holding a top-secret security clearance and billing $300 per hour will fill a certain position.
GS: What if a security company working on a government contract must work on data files at some other location — its own offices for example?
Drabkin: There are always risks related to sharing information. We try to eliminate these risks as best we can. For example, there is a process called industrial classification. A number of public and private organizations provide Industrial Classification certifications for facilities that store hard and soft data outside of a government site. The DoD, for instance, has a group that supervises industrial classification issues. Under their rules, classified storage containers for data files must be constructed and operated according to strict specifications.
GS: You’ve described two steps to vetting people and companies: security clearances for people and industrial classifications for facilities. What other problems need to be addressed in this area?
Drabkin: The problem we’re having is that when the Berlin Wall came down in the early 1990s, people figured that the threats that we faced in government were gone. Since Sept. 11, of course, people have come to realize that the threats weren’t gone after all. In fact, new threats were perhaps more pervasive because they arose from unexpected sources. As a result, the government has been scrambling to figure out how to mitigate threats in reasonable ways.
GS: You use the word reasonable. Are you describing a balancing act?
Drabkin: Yes. You can never eliminate threats. A determined enemy will find a way to get the information it wants. All we can do is make it more difficult. On the other hand, what you can be sure about is that you don’t accidentally give up information that affects national security. Right now, we’re all in the process of figuring out what levels of security we need for the various functions we perform.
GS: What is the major challenge to setting security levels related to security contractors?
Drabkin: This is principally an information technology (IT) challenge. Security products, for example, usually include hardware, software, and integration services that might be purchased to manage secure information. A committee within the Federal Acquisition Regulation Council (FARC), the organization that makes government-wide acquisition rules, is currently working on general standards for IT acquisition. They are proposing rules that will weigh the need for security against cost and capability.
GS: When will the FARC committee report come out?
Drabkin: The first step will be to issue a set of proposed rules for public comment. This will probably happen in February. It’s an example of how we’re working to figure out what kind of general guidance we can give folks so we don’t all wind up doing different things and confusing industry about how to manage security.
GS: What can state and local governments learn from what the federal government is doing about ensuring the trustworthiness of suppliers?
Drabkin: State and local governments have the same problems that we have, though on a smaller scale. So they have to find ways to do the same things we’re working on: balancing the costs of security against the requirements for transparency and the need to spend the taxpayers’ money effectively.